https://cerbos.dev logo
#community
Title
# community
s

sdktr

08/10/2022, 10:15 PM
2nd question: any hints on the concept of ‘Priviliged Access Managament’ or ‘Just In Time’ access, in relation to cebos. Do your users have these time based concepts implemented by means of a conditonal time based derivedpolicy? So when requesting ‘temporary access’ to manage a resource, a acompanying temporary policy has to be added via Admin API?
a

Alex Olivier (Cerbos)

08/11/2022, 7:25 AM
That is certainly one way to do it - another option that allows your policies to stay static is to pass in the time window as an attribute of the user and then use the time conditions in the policies to grant access.
s

sdktr

08/11/2022, 9:36 PM
That one I don’t grasp completely? Do you mean storing a certain timewindow in the policy and sending the current time with the authZ request? Then evaluate whether the requested time falls into the window defined on the policy?
a

Alex Olivier (Cerbos)

08/12/2022, 8:13 AM
Something like this: Your principal object would contain attributes which define when access starts and ends
Copy code
{
  "id": "sally",
  "roles": [
    "USER"
  ],
  "attr": {
    "accessStart": "2021-10-01T10:00:00.021",
    "accessEnd": "2021-10-02T10:00:00.021"
  }
}
Then in your policy you could have:
Copy code
- actions: ["someAction"]
  effect: EFFECT_ALLOW
  roles:
    - USER
  condition:
    match:
      expr: now() > timestamp(request.principal.attr.accessStart) && now() < timestamp(request.principal.attr.accessEnd)
3 Views